This "sobig" virus...

[twizdedboy]

I know quite a bit about this mass mailing virus now.
However I still have a big problem. About 4 days ago I
was going on MSN to check my e-mail. When I opened it I
had a unusual amount of e-mail. I never get spam or
anything at this address because it is only for
friends/family.

When I checked them they all were "mail delivery failure"
messages sent by me containing the "W32.Sobig.F@mm"
virus. They were sent to a number of differnt people I
have never even heard of before.

The first thing I did was update my virus definitions...
they were all up to date (I use Norton Systemworks 2002.
Then I preformed a complete computer virus check with
Norton Antivirus. When it was completed it had not found
any infected files. Now how can that be?

If my computer is not infected how am I sending out these
e-mails? Also I should point out that this is only
happening on my MSN e-mail account. Not my yahoo. Any
ideas guys?

 

[jan]

In all likelihood, the virus has forged your address as
the sender (by acquiring your address from files on
someone's infected computer, not yours) and has mass
mailed all those messages as if you sent them. That is
the way the SobigF virus operates.

 

[Alun Jones [MS MVP]]

If my computer is not infected how am I sending out these
e-mails? Also I should point out that this is only
happening on my MSN e-mail account. Not my yahoo. Any
ideas guys?

When an email message is sent, the "From" and "To" addresses are specified
in the headers of the message. That's about as securely created as writing
addresses on the outside of an envelope and shoving it in a mailbox -
there's nothing to prevent you from putting crazy addresses in either place.

That's what this virus is doing - someone gets infected, and the virus goes
looking through their files for email addresses - it looks anywhere it wants
to, and picks two at random. One becomes the "From" address, and the other
becomes the "To" address. Then the virus sends itself.

Of course, the really crappy thing comes from the antivirus vendors that are
essentially doubling the damage of the virus. These guys have analysed
enough viruses that they should know that viruses fake their source all the
time - why are they sending a message to the innocent third parties that
they know aren't the infected source?

There has been a suggestion that this is a cynical attempt on the part of
the antivirus companies to advertise. Me, I think it's because they aren't
thinking about the effect of their actions - but then do you want an AV
company to not be thinking that hard? Either way, these response messages
have convinced me not to buy certain antivirus products.

If anyone reading this is administering one of these packages, please please
please turn off the automated responses - they do more harm than good.

Alun.
~~~~

[Please don't email posters, if a Usenet response is appropriate.]

 

[Larry Samuels MS-MVP XP \(Shell/User\)]

Simply delete the returned mails--someone else that is infected with Sobig
has you in their address book.
Your email was picked at random from their address book by the virus as the
spoofed from address.

--
Larry Samuels MS-MVP (Windows-Shell/User)
Associate Expert
Unofficial FAQ for Windows Server 2003 at
http://home.earthlink.net/~larrysamuels/WS2003FAQ.htm
Expert Zone -